SUMMARY

This article describes how to back up the recovery agent Encrypting File System (EFS) private key on a computer that is running Microsoft Windows Server 2003, Microsoft Windows 2000, Microsoft Windows XP, Windows Vista, Windows 7, Windows Server 2008 or Windows Server 2008 R2. Use the recovery agent's private key to recover data in situations when the copy of the EFS private key that is located on the local computer is lost. This article contains information about how to use the Certificate Export Wizard to export the recover agent's private key from a computer that is a member of a workgroup, and from a Windows Server 2003-based, Windows 2000-based, Windows Server 2008-based or Windows Server 2008 R2-based domain controller.

IN THIS TASK

INTRODUCTION

This article describes how to back up the recovery agent Encrypting File System (EFS) private key in Windows Server 2003, in Windows 2000, in Windows XP, in Windows Vista, in Windows 7, in Windows Server 2008 and in Windows Server 2008 R2. You can use the recovery agent's private key to recover data in situations when the copy of the EFS private key that is located on the local computer is lost.

You can use EFS to encrypt data files to prevent unauthorized access. EFS uses an encryption key that is dynamically generated to encrypt the file. The File Encryption Key (FEK) is encrypted with the EFS public key and is added to the file as an EFS attribute that is named Data Decryption Field (DDF). To decrypt the FEK, you must have the corresponding EFS private key from the public-private key pair. After you decrypt the FEK, you can use the FEK to decrypt the file.

If your EFS private key is lost, you can use a recovery agent to recover encrypted files. Every time that a file is encrypted, the FEK is also encrypted with the Recovery Agent's public key. The encrypted FEK is attached to the file with the copy that is encrypted with your EFS public key in the Data Recovery Field (DRF). If you use the recovery agent's private key, you can decrypt the FEK, and then decrypt the file.

By default, if a computer that is running Microsoft Windows 2000 Professional is a member of a workgroup or is a member of a Microsoft Windows NT 4.0 domain, the local administrator who first logs on to the computer is designated as the default recovery agent. By default, if a computer that is running Windows XP or Windows 2000 is a member of a Windows Server 2003 domain or a Windows 2000 domain, the built-in Administrator account on the first domain controller in the domain is designated as the default recovery agent.

Note that a computer that is running Windows XP and that is a member of a workgroup does not have a default recovery agent. You have to manually create a local recovery agent. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

255026 The local administrator is not always the default Encrypting File System recovery agent

Important After you export the private key to a floppy disk or other removable media , store the floppy disk or media in a secure location. If someone gains access to your EFS private key, that person can gain access to your encrypted data.

Export the recovery agent’s private key from a computer that is a member of a workgroup

To export the recovery agent’s private key from a computer that is a member of a workgroup, follow these steps:

Log on to the computer by using the recovery agent’s local user account.

Click Start, click Run, type mmc, and then click OK.

On the File menu, click Add/Remove Snap-in. Then click Add in Windows Server 2003, in Windows XP or in Windows 2000. Or click OK in Windows Vista, in Windows 7, in Windows Server 2008 or in Windows Server 2008 R2.

Under Available Standalone Snap-ins, click Certificates, and then click Add.

Click My user account, and then click Finish.

Click Close, and then click OK in Windows Server 2003, in Windows XP or in Windows 2000. Or click OK in Windows Vista, in Windows 7, in Windows Server 2008 or in Windows Server 2008 R2.

Export the domain recovery agent's private key

The first domain controller in a domain contains the built-in Administrator profile that contains the public certificate and the private key for the default recovery agent of the domain. The public certificate is imported to the Default Domain Policy and is applied to domain clients by using Group Policy. If the Administrator profile or if the first domain controller is no longer available, the private key that is used to decrypt the encrypted files is lost, and files cannot be recovered through that recovery agent.

If you click to select the Delete the private key if the export is successful check box, the private key is removed from the domain controller. As a best practice, we recommend that you use this option. Install the recovery agent's private key only in situations when you need it to recover files. At all other times, export, and then store the recovery agent's private key offline to help maintain its security.

Click Next.

Specify a password, and then click Next.

Specify a file name and location where you want to export the certificate and the private key, and then click Next.

Note We recommend that you back up the file to a disk or to a removable media device, and then store the backup in a location where you can confirm the physical security of the backup.

Verify the settings that are displayed on the Completing the Certificate Export Wizard page, and then click Finish.

REFERENCES

For more information about how to determine who the recovery agent is for an encrypted file , click the following article number to view the article in the Microsoft Knowledge Base:

243026 Using Efsinfo.exe to determine information about encrypted files

For more information about EFS, click the following article number to view the article in the Microsoft Knowledge Base: